Re: [secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
Fernando Gont <fgont@si6networks.com> Tue, 10 December 2013 17:48 UTC
Return-Path: <fgont@si6networks.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F2691ADFE4; Tue, 10 Dec 2013 09:48:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yZwz_5oYo_Vt; Tue, 10 Dec 2013 09:48:14 -0800 (PST)
Received: from web01.jbserver.net (web01.jbserver.net [IPv6:2a00:d10:2000:e::3]) by ietfa.amsl.com (Postfix) with ESMTP id 7CF1A1AE13D; Tue, 10 Dec 2013 09:48:14 -0800 (PST)
Received: from [186.137.77.127] (helo=[192.168.3.102]) by web01.jbserver.net with esmtpsa (TLSv1:DHE-RSA-CAMELLIA256-SHA:256) (Exim 4.80.1) (envelope-from <fgont@si6networks.com>) id 1VqRPc-00005l-KR; Tue, 10 Dec 2013 18:48:00 +0100
Message-ID: <52A75046.7020008@si6networks.com>
Date: Tue, 10 Dec 2013 14:32:54 -0300
From: Fernando Gont <fgont@si6networks.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.1.1
MIME-Version: 1.0
To: "Moriarty, Kathleen" <kathleen.moriarty@emc.com>, "draft-ietf-opsec-vpn-leakages.all@tools.ietf.org" <draft-ietf-opsec-vpn-leakages.all@tools.ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
References: <F5063677821E3B4F81ACFB7905573F240653E7FF01@MX15A.corp.emc.com> <52A6C883.2080709@si6networks.com> <F5063677821E3B4F81ACFB7905573F2406541F22C3@MX15A.corp.emc.com>
In-Reply-To: <F5063677821E3B4F81ACFB7905573F2406541F22C3@MX15A.corp.emc.com>
X-Enigmail-Version: 1.5.2
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Subject: Re: [secdir] Sec-Dir review of draft-ietf-opsec-vpn-leakages-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Dec 2013 17:48:17 -0000
Hi, Kathleen,
Thanks so much for your prompt response! Please find my comments in-line...
On 12/10/2013 01:25 PM, Moriarty, Kathleen wrote:
> On 12/09/2013 07:21 PM, Moriarty, Kathleen wrote:
>> The reference to VPN, never distinguishes if the document is
>> referring to an IPSec or TLS VPN.
>
> That's intentional. At the end of the day, what you use to tunnel
> your packets does not really affect the underlying issues.
>
> KM> IPsec and TLS VPNs operate on different levels of the stack,
> hence the issue you seek to address will be handled differently in
> each case.
Both cases seem to "capture" traffic by installing more specific entries
in the routing table (or replacing the existing ones) and employing e.g.
a tun device....
> The use cases you describe are very specific to IPsec VPN
> tunnels in that IPsec VPNs are intended to route all traffic from the
> client endpoint that has an installed agent to a VPN gateway.
Actually, this came up as a result with my experience with TLS-based
OpenVPN... but the issues are very similar with IPsec -- e.g. this I-D
resulted in corresponding patches in the OpenBSD IPsec implementation.
[....]
>> I suspect IPSec from the document, but making this clear would be
>> helpful to the reader. TLS has become popular when providing
>> restricted access and may be just an encrypted session to a
>> particular service as opposed to a full VPN with routed traffic
>> using IPSec. Unfortunately, language has blurred here, mostly
>> because of marketing, so clarity would be helpful to avoid possible
>> confusion for the reader.
>
> As noted above, this is actually intentional, and I'd personally
> leave this "as is" -- put please let me know what you think.
>
> KM> See above, thanks!
Please check the above. That said, for fairness sake, I'll love the
input from others..
And, in case we go forward with your proposed change, what are the
specific changes you envision?
>> Is the draft intended for developers/implementers or operational
>> teams/VPN users -- or both?
>
> Both.
>
> KM> OK, great, you may want to call out the specific recommendations
> for each, state when it applies to both, or state that all options
> apply to developers/implementers, operational teams, and VPN end
> users.
This I-D boils down to "When thinking about securiing data transfer t a
remote site, you must keep both IPv6 and IPv4 in mind".
I'm not sure I can see a real difference between what's the specific
underlying technology you employ...
>> The proposed fixes could be done by the VPN software or operators
>> could disable interfaces, the former would obviously be preferred
>> and the abstract mentions products, so you may want to repeat that
>> preference later in the document.
>
> So far, the I-D proposes that the fixes should be implemented by the
> VPN client. ONly the "Security Considerations" section mentions
> "disabling IPv6" as a mitigation (i.e., "last resort" thing).
>
> KM> I would suggest that you add in a statement then to make the
> objective clear that the recommendations are for improvements in the
> VPN client to prevent this issue and may involve configuration
> settings on the VPN gateway that could apply out to all clients if
> they get updated over time.
With "VPN ateway" you're referring to a single VPN "client" that is
tunneling traffic for all local nodes?
>
> I guess possible options are:
>
> 1) Leaving the I-D "as is", or,
>
> 2) Have a "Mitigations" section where the current Section 6
> ("Mitigations to VPN traffic-leakage vulnerabilities") is
> incorporated as subsection 6.1 (and possibly renamed "Fixing VPN
> client software"), and then adding another subsection entitled
> "Operational mitigations" or the like, essentially discussing
> manually disabling IPv6 on the local system.
>
> I'm inclined to "1)", but nevertheless open to "2)".
>
> KM> If you want to target all user groups as stated above, then I
> think #2 is the only option. If you want to restrict the draft to
> developers and VPN client configuration options, then you can leave
> this part of the draft as-is and add that statement.
The only thing is that I can hear people complaining about the "disable
IPv6" option... Although reality-wise, at times that the only option you
have at hand (e.g., that's what I do when employing OpenVPN).
Thoughts?
Thanks!
Best regards,
--
Fernando Gont
SI6 Networks
e-mail: fgont@si6networks.com
PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492
- [secdir] Sec-Dir review of draft-ietf-opsec-vpn-l… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Fernando Gont
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Stephen Kent
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Paul Hoffman
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Fernando Gont
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen
- Re: [secdir] Sec-Dir review of draft-ietf-opsec-v… Moriarty, Kathleen